Pronounced: Juh-MAH-ruh (think 💎)
Gemara is a standardized, machine-readable data model designed to bridge the gap between high-level compliance requirements and low-level technical evidence. By providing a structured schema (powered by CUE), Gemara enables automated risk assessment, consistent reporting, and interoperability across the security toolchain.
- View the model and supporting resources at gemara.openssf.org
- Find schemas in this repository, or in the CUE central registry.
- Use the schemas directly with cue for validating Gemara data payloads against the schemas and more.
- Use the Go SDK to integrate Gemara schemas into your automated tools
github.com/gemaraproj/go-gemaraand consult our go docs
Some Gemara use cases include:
- FINOS Common Cloud Controls (Layer 2)
- Open Source Project Security Baseline (Layer 2)
- Privateer (Layer 5)
We're so glad you asked - see CONTRIBUTING.md and if you have any questions or feedback head over to the OpenSSF Slack in #gemara
You can also join the biweekly meeting on alternate Thursdays.
See Gemara Bi-Weekly Meeting on the OpenSSF calendar for details.